Roles are collections of database credentials and Cirro permissions that you can grant to other roles or users.

Create a Role

  • Click Users & Roles then View all roles.

  • Click Create a Role.

Set up the role

  • First, name the role - this needs to be a unique identifier that doesn’t include spaces or other characters.

  • Next, choose your options:

Option Description See also
Azure AD group (optional) Enter your Azure AD group to apply the role to. Available only if AZURE AD is a default authentication provider. Configure Azure AD roles
LDAP group (optional) Choose which LDAP group to apply the role to. Available only if LDAP is a default authentication provider. Configure LDAP roles

Types of Role

There’s two basic types of Role you can create.

Role Type Description See also
Cirro Permissions Role Create role that includes a collection of child roles and/or cirro permissions Cirro Permissions Role
Datasource keychain role Create a role that grants access to databases and objects. Datasource Keychain Role

You can also mix and match child roles, permissions and credentials within the same role if required.

Cirro Permissions Role

A Cirro role can contain child roles which already exist on the server and a collection of Cirro permissions that enable the role to perform different functions.

  • Toggle Grant Role to Role to view a list of all Roles your user has permissions to view.

Also available are Cirro’s built-in roles, created to speed the onboarding process. Each allows login to Cirro and a subset of Cirro permissions.

Cirro Role Description
secure_connect secure_connect allows users to login to Cirro and execute SQL on single datasources.
federated_read_only the federated_read_only role allows users to execute SQL queries on groups of datasources, but only as read-only.
federated_read_write the federated_read_write role allows users to execute SQL queries on groups of datasources and write to these databases.
data_migrator The data_migrator role is used for data management to manage and execute data copy projects.
cirro_admin The administrator role that has all Cirro permissions to allow complete administration of the Cirro system.
  • Tick roles then use the arrow keys to grant or revoke them.

  • Toggle Grantable so any user granted the parent role can grant the child role to other users.

Grant Cirro Permissions

Cirro permissions are required to access different Cirro functionality and are equivalent to specific Cirro SQL commands.

  • Select permissions then use the arrow keys to grant or revoke them.

  • Click NEXT then Finish to save.

Datasource Keychain Roles

A Database Keychain role grants access to Datasources and objects.

Click Next until the Database Credentials page opens.

The page contains all direct Database privileges the role has been granted, with the datasource and user name.

You can edit the credential login user or revoke the credential.

Grant Credentials

When you grant a credential, the database username and password restricts access to the data within. You can grant an additional level of security by defining object access.

Granting a credential is a two step process.

  • First, click to open the credential dialog.

  • Second, choose the Datasource, then enter the appropriate username and password. For example, for a DBA user, you’d use the DBA username.

  • Click Add Credential.

Once added, the new credential is added to the page. You can edit the username and password or delete them.

Define object access

To add an additional level of security, you can grant specific permissions at the schema, database, object and column level.

Click NEXT until the System Object Permissions page opens.

This is a three-step process.

  • First, click click to open the object picker.

    • Choose the system, database and object, then click the arrow keys to grant them.

    • Click OK when finished.

  • Second, tick each privilege (e.g., SELECT, DELETE, UPDATE) and use the arrow keys to grant or revoke.

  • Third, set an encryption key (if required).

    • Select the objects then click Encryption Keys.

    • Tick each key then use the arrow keys to grant or revoke.

    • Click OK when finished.

When you’re ready, click Finish to save the role.